Fix Zizmor v1.25 CI failures before merging zizmor-action bump

[j7an]

Description

PR #64 bumps zizmorcore/zizmor-action from v0.5.3 to v0.5.6, which changes the bundled Zizmor engine from 1.24.1 to 1.25.2. The Workflow Security Analysis check now fails.

There are two problems to address:

1. Zizmor's online impostor-commit audit aborts while scanning .github/workflows/publish-pypi.yml:

'impostor-commit' audit failed
couldn't list tags for astral-sh/setup-uv
HTTP status client error (401 Unauthorized)

2. Running zizmor 1.25.2 locally exposes a new high-severity github-app finding in .github/workflows/tag-release.yml. The actions/create-github-app-token step currently mints an installation token without explicit permission narrowing, so Zizmor reports that the token inherits broad installation permissions.

Why this matters: the repo uses Zizmor as the workflow security gate. Until these findings are handled, Dependabot's Zizmor action update cannot merge cleanly, and the release workflow has a real least-privilege issue around the GitHub App token used for Git Data API writes.

Acceptance Criteria

• tag-release.yml constrains the GitHub App token permissions to the minimum required for checkout and Git Data API commit/tag writes, expected to include permission-contents: write.
• zizmor . --min-severity medium --min-confidence medium --no-progress --color never --no-online-audits no longer reports the github-app finding.
• The PR deps: bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6 #64 Workflow Security Analysis check no longer fails on the impostor-commit 401 Unauthorized error.
• The chosen handling for the online audit failure is explicit in security.yml, either by pinning the Zizmor engine version temporarily or disabling online audits with a comment explaining the tradeoff.
• Existing CI remains green: bats, inline-sync, lint-workflow-call, and Workflow Security Analysis.